Firewall Analyzer - Security advisory regarding CVE-2020-11946

Firewall Analyzer - Security advisory regarding CVE-2020-11946

This is an announcement regarding a security advisory addressing an unauthenticated servlet call vulnerability fixed in the latest version of Firewall Analyzer v12.4.196. PLEASE READ THROUGH THIS POST COMPLETELY to check whether your installation has been affected or not, and if affected, learn how you can resolve it.


Issue and description: 


Unauthenticated API key disclosure - There was an unauthenticated access method to obtain the API key that was discovered in the product. This could be exploited by the perpetrator to add an admin user using an API call and carry out admin-level operations.This is a critical security vulnerability. (Refer: CVE-2020-11946)


Who has been affected?


Any Firewall Analyzer installation with build number between and 12.4.195 (for product versions v12.3 and v12.4), and build number between 12.5.001 and 12.5.119 (for product version v12.5) could be exploited using this vulnerability.


How did the security team at ManageEngine resolve this vulnerability?


This issue was reported to us by @kuncho, an independent security researcher on April 12. As soon as we were informed of this, suitable authentication measures were added for the API call, and the latest Firewall Analyzer version with the fix, i.e. v12.4.196 was released for all products on April 22, 2020.



How can I identify if my installation has been compromised?


    1. Check if there are any new FWA user accounts in the product that look suspicious, by navigating to Settings > General Settings > User management. If there are any, delete that new user profile immediately and contact our support team.

    2. Also, you can check the access logs for any unauthenticated requests. Under the "logs" folder in the product installation directory, open access_log.txt and check if any of the following API calls have been made from any external IPs i.e. without the suffix "- localhost" next to the address: 

        i. sendData - used to expose the API key to the attacker

        ii. addUser - possible add user action performed using the obtained key

        iii. testNProfile - possible RCE performed on some/all devices in the network


If any of these are noticed in your setup, IMMEDIATELY SHUT DOWN THE INSTALLATION, and contact our support team.


What can I do to fix this vulnerability?


If you're on any of Firewall Analyzer builds till 12.4.195, it is advised to upgrade to Firewall Analyzer v12.4.196 right away from the service pack page of Firewall Analyzer.


For users of Firewall Analyzer version 12.5, it is advisable to upgrade to build 12.5.120 using the link below for each product: Download Firewall Analyzer 12.5.120


You can also directly contact our security team for assistance with the upgrade at

      New to ADSelfService Plus?